Time to rethink your cloud security strategy?

June 7, 2023
How policy as-code can streamline and strengthen authorization

Cloud transformation is moving at breakneck speed. In fact, nearly 70% of companies accelerated their cloud migration plans last year.

Yet the rapid pace of digital transformation has led many organizations to rush their cloud governance strategy or bypass a fully defined strategy altogether. In fact, two-thirds of organizations say their cloud governance is still in its beginning stages of maturity.

Nowhere is that more evident than with authorization — the process of defining, enforcing, and managing access controls across the cloud-native stack. Despite increasingly complex security requirements, developers often underestimate the challenges and costs of implementing authorization policies across the cloud stack.

Cloud authorization and security have grown increasingly challenging — not to mention expensive — for platform teams to manage even when security teams assist them. There’s a better approach than do-it-yourself.

Instead of relying on siloed teams to develop and implement their own authorization policies, companies can automate workloads and manage authorization enterprise-wide with policy as-code. As organizations rethink their cloud strategy, policy as-code provides a more collaborative, cohesive approach to security that empowers teams to work smarter, rather than harder.

Complicated authorization policies are holding cloud migration back

Cloud environments are more dynamic, distributed, and complex than ever before. The vast majority of companies today don’t use a single cloud platform but rather rely on a combination of public cloud services, private cloud, and on-premises infrastructure.

But without strong security standards, the cloud environment lays open greater security vulnerabilities and increases the potential for human error. In fact, more than 80% of organizations experienced a security incident in the cloud over the last year. Even more jarring: half of those organizations reported at least four incidents in that time. It’s a startling outlook given the near-universal adoption of cloud infrastructure.

A large part of the problem comes down to access control. In particular, the same security measures that work for on-premise systems — such as firewalls, browser isolation systems, and other perimeter-based defenses — don’t work as well in the complex, ever-changing cloud environment where there’s no hard, static boundary to enforce.

Typically, organizations handled this problem by creating one-off, custom solutions to configure authorization. But that manual process becomes exponentially more time-consuming, tedious, and error-prone in the cloud. That’s because microservices architecture, containerized applications, and application programming interfaces (APIs) each contain individual, discrete components that require their own authorization policies and security configurations.

When organizations create their own separate authorization policies, security teams are stuck with reactive measures that attempt to identify issues and remediate them after they occur. Meanwhile, developers are forced to rely on inconsistent, unreliable institutional knowledge that provides little visibility, and no enforcement guarantees for authorization policies. Moreover, DIY authorization is merely replicating work that’s already been done by other organizations.

The result is a sprawl of disjointed policies applied inconsistently across systems and networks — causing headaches for IT teams and security risks for the entire organization. After all, it only takes one misconfiguration to cause a security breach that can cost an organization thousands, even millions of dollars. 

This DIY approach to authorization exacerbates these challenges, forcing companies to settle for delayed deadlines, increased budgets, and security mishaps. In fact, McKinsey estimates that companies will waste $100 billion in cloud migration spending. Teams simply can’t afford to build, manage, and update each and every aspect of cloud security by hand.

How a collaborative approach can strengthen security and make life easier for developers

How can organizations simplify, streamline, and strengthen authorization on the cloud? Policy as-code was designed to solve that exact challenge.

Policy as-code automates manual authorization processes and activities, which helps make authorization changes faster, more consistent, and easier to share across security teams, developers and other parts of the organization.

But “as-code” technology is just one part of the puzzle. Strengthening cloud security not only requires digital solutions, but also the expertise, experience, and organizational capacity to deploy policy as-code effectively and efficiently.

As you reevaluate your cloud strategy, consider the following to help you simplify authorization, strengthen security, and gain greater value from the cloud.

  1. Start small with policy as-code

As you begin to adopt policy as-code, start small, build upon your success, and then scale solutions over time. By implementing policy-as-code for one project or one team first, you can identify challenges, make necessary adjustments before rolling it out to other areas, and ensure a smoother transition as you integrate policy-as-code across your organization.

One of the most effective approaches is using Open Policy Agent (OPA). OPA (pronounced oh-pa) is an open-source, general-purpose policy engine that provides a standardized policy language, Rego, capable of streamlining, simplifying, and unifying authorization policies across the cloud stack. And because it’s an open-source technology, your teams not only benefit from institutional knowledge within your organization but also advice and input from peers and experts worldwide.

  1. Build collaboration as you scale.

Authorization requirements cut across your entire organization, directly impacting your developers, IT department, security team, and others — and every stakeholder should be involved in strategic decision-making. You want to avoid a scenario where a solution that benefits one team comes at the cost of another.

 As you look to scale policy as code, it’s crucial to bring together perspectives from across your organization and allow each team to outline their technology needs, identify shared goals, and work together to make decisions about the digital tools that will benefit everyone. Also, collaboration shouldn’t stop once authorization policies are in place. It should be a key consideration as you review policies, refine processes, and improve your security configuration over time.

     3. Swap DIY fixes for adaptable tech.

DIY solutions may be an effective short-term fix, but they are less extensible and less adaptable to advancing technology and turnover in personnel — leading to long-term technical debt.  When organizations take a DIY approach to authorization, policies are often inconsistently or haphazardly implemented with little oversight into how policies are applied, making it impossible to understand how access controls are enforced across the stack. Organizations may even struggle to answer basic questions like whether a customer’s data can be accessed from the public internet.

On the other hand, companies that rely on adaptable technology that plugs into the cloud-native stack can easily monitor and audit authorization policies without having to manually sift through a complex web of code. Leveraging OPA and other open-source solutions not only saves time and money in the short run but also allows you to continue those savings long-term and streamline authorization as your organization grows and scales cloud operations.

  1. Create a culture of continuous learning.

For authorization solutions to function as intended, you need the right people and knowledge in place across your organization. The IT skills shortage hasn’t made this challenge any easier.

Technical education and training have always been important, but it’s even more vital as your cloud strategy matures. Create a culture of continuous learning that encourages employees of all backgrounds to better understand and use the digital tools at their disposal. In particular, your software team can help educate other parts of your organization with best practices for policy as code.

Today’s cloud environment generates newfound efficiency, heightened productivity and collaboration, and limitless opportunities for innovation. But as the cloud rapidly evolves, companies need security tools and strategies that can keep pace.

Inconsistent, cumbersome authorization can sour even the best cloud migration plans, leading to unexpected costs and delays rather than cost savings and efficiencies. In fact, nine out of 10 companies have experienced significant setbacks in implementing their cloud strategy, with one-third citing challenges with security management.

But it doesn’t have to be this way. By focusing on authorization and implementing policy as code, organizations reduce the cost of managing cloud infrastructure and apps — and stop potential problems in their tracks rather than trying to remediate them on a case-by-case basis. With DIY authorization off your plate, you have more resources to spend on innovation and products that will differentiate you from the competition.

About the author:Torin Sandall is vice president of Open Source, Styra. Sandall is a co-founder of the Open Policy Agent (OPA) project. Torin has spent over 10 years as a software engineer working on large-scale distributed systems projects. Torin is a frequent speaker at events like KubeCon, DockerCon, Velocity, and more. Prior to working on OPA, Torin was a Senior Software Engineer at Cyan (acquired by Ciena) where he designed and developed core components of their SDN/NFV platform.

About the Author

Torin Sandall | vice president of Open Source, Styra

Torin Sandall is vice president of Open Source, Styra. Sandall is a co-founder of the Open Policy Agent (OPA) project. Torin has spent over 10 years as a software engineer working on large-scale distributed systems projects. Torin is a frequent speaker at events like KubeCon, DockerCon, Velocity, and more. Prior to working on OPA, Torin was a Senior Software Engineer at Cyan (acquired by Ciena) where he designed and developed core components of their SDN/NFV platform.